Baseline Phishing Tests

Best Practices Guide: Set Up a Baseline Test

Note:We’ve added advanced features to phishing templates! All accounts will be opted in to phishing template advanced features by January 31, 2025. For more information, see our Phishing Templates Advanced Features Guide.

Before you begin your security awareness training program, we strongly recommend sending an unannounced simulated phishing test to all of your users. This test will help you establish a baseline for your organization.

The results of this baseline phishing test will show your organization's initial Phish-prone Percentage. The Phish-prone Percentage is the percentage of users who are likely to click on a phishing email. Consider this initial Phish-prone Percentage the baseline, or starting point, for your organization. Your organization's overall Phish-prone Percentage, or Account Average Phish-prone Percentage, is based on the Phish-prone Percentage of your active users who have received at least one Phishing Security Test. As you conduct ongoing phishing tests, compare your organization's Phish-prone Percentage with the initial Phish-prone Percentage to measure the success of your security awareness training plan.

Important:Before you conduct your baseline test, please ensure you've whitelisted KnowBe4's IP addresses or domains in your email environment. Use our Whitelisting Wizard or review our Whitelisting Guide to learn the best method for whitelisting your email client and spam filters.

Why Shouldn't I Announce the Test?

We recommend conducting an unannounced baseline phishing test in order to get the most accurate results. By not announcing the test, you can see how vulnerable your organization would be if a real phishing attack made it through your email filters. Having this insight can help you gain buy-in from your stakeholders. To learn more, please see: How Can I Engage My Stakeholders in My Security Awareness Training Plan?.

Recommended Settings for the Baseline Test Campaign

To create your baseline campaign, go to the Phishing tab of your console. Then, click the + Create Phishing Campaign button in the upper right-hand corner to open the New Phishing Campaign page.

Tip:After you've whitelisted and before you create a baseline phishing campaign, we recommend running at least one test campaign that is limited to a small group of users. To learn more, see the Preliminary Test Campaign section of our Quickstart Implementation Guide.

We recommend using the following settings for your baseline test campaign:An image of campaign settings 1-6.

  1. Campaign Name: Name your campaign something descriptive, such as "Baseline Test".
  2. Send to: Select All Users.
  3. Frequency: Select One-time.
  4. Start Time: From the drop-down menus, select the desired date and time for your baseline test. The time you select should be during your organization's business hours as that is when your users are actively checking their emails.
  5. Sending Period: Select Send all emails when the campaign starts. When this setting is selected, emails will begin sending as soon as the campaign begins. The timing of sending and delivery will vary, depending on the number of users in the campaign. In most campaigns, all emails will be sent within an hour after the campaign starts..
  6. Track Activity: We recommend that you track phishing test failures for at least three days. For more information about sending and tracking periods, see our How to Monitor and Review Phishing Campaigns article.
  7. Track Replies to Phishing Emails: You can turn this setting on if you wish to track your users' replies to the phishing test emails. For more information about reply-to phishing, see our Reply-To Phishing article.

An image of campaign settings 8-11.

  1. Template Categories: Select the Phishing for Sensitive Information category from the drop-down menu on the left-hand side.
    1. Then, from the drop-down menu on the right-hand side, search for and select the Password Check Required Immediately template.
  2. Send Localized Emails: If you've uploaded all your users, select this check box to send localized versions of the selected templates. For more information, see the Create a Localized Phishing Campaign section of our Localization Guide.
  3. Phish Link Domain: Choose a domain to use for the phishing link. This is the domain that your users will see when they hover over the phishing link so choose one that looks "safe" to click on. 
  4. Landing Page: Keep Default Landing Pages.
  5. Send an email report to account admins after each phishing test: Select this checkbox so that an email will be sent to all of your account administrators after the test is complete. This email report will be sent to administrators after the Track Activity time period has concluded.

After the Baseline Test

After the baseline phishing test, your users may be confused or concerned about the email that they received. To help with this confusion, we recommend that you send an email explaining what the phishing test was, and you can even share your organization's Phish-prone Percentage to emphasize the importance of security awareness training. We've provided a template that you can use for this email, please see: What Can I Send to My Users After the Baseline Phishing Test is Completed?.

We recommend enrolling your users in security awareness training shortly after conducting your baseline phishing test. To learn more, see Enrolling Your Employees in Security Awareness Training.

Once users have completed their initial security awareness training assignment, we recommend that you conduct ongoing phishing tests so that your users can practice the skills they've learned as part of their training. To learn more about ongoing phishing tests, see our Best Practices Guide

Can't find what you're looking for?

Contact Support